Most people are familiar with the concept of bring your own device (BYOD), where employees use a personal smartphone or tablet for work purposes, but very few employers have taken the necessary steps to protect themselves against the risks this trend entails.
The BYOD phenomenon has taken off principally because of the benefits of providing mobile access to more workers than was previously possible. However, the practice opens up new avenues for accessing sensitive data on employer networks, and it raises privacy questions and the potential for a host of employment-related claims. Despite these dangers, Forbes.com estimates that 80 percent of employers have not installed mobile device management plans on employees' devices, and many have not implemented a legally defensible BYOD policy.
Network security is the most obvious hazard. BYOD presents a vast array of challenges for IT departments, with a constant parade of new devices and operating systems to manage and protect. Integrating such systems is only the first step, and the security of each user's device is equally critical. Most U.S. states have security-breach notification laws that require companies to disclose any reasonable belief of a data security breach. Trade secrets and confidential information become far more vulnerable when information such as customer lists can be accessed or transmitted from employees' personal devices. Intellectual property ownership is another area ripe for legal disputes if BYOD policies are not properly drafted and implemented, due to uncertainty regarding works created on personal devices.
Mixing personal technology into the workplace can also expose employers to new threats of lawsuits.
Having work email on their phones or tablets encourages employees to check messages "off-the-clock," creating the potential for claims of overtime and missed meal and rest breaks. Because of the potential problems monitoring and tracking such time, employers should limit any mobile device policy to "exempt" employees, if possible.
E-discovery requirements to preserve and produce electronically stored information include data on employee-owned devices. This ranges from emails to text messages and voice mails, but it can also include postings to social media sites. By way of example, a New Jersey court recently found that a plaintiff committed spoliation when he deleted his Facebook account. The judge granted the defendant's request for an adverse inference jury instruction due to the failure to preserve evidence. (Gatto v. United Airlines
, 2013 WL 1285285 (D. N.J.).)
Hostile work environment.
BYOD expands the potential for employees to send inappropriate, harassing, or discriminatory messages to coworkers or subordinates through the company server, particularly after regular work hours. On a basic level, if the employer has access to those messages it makes it more difficult to argue that the employer did not know such communications had occurred.
Too much information.
Access to information that an employer would rather not have - about medical information, sexual orientation, religious beliefs, genetics, etc. - could give rise to claims that employment decisions were made for unlawful reasons based upon these protected characteristics.
In California, Labor Code 2802 requires employers to reimburse employees for all necessary expenditures or losses incurred in the discharge of their duties. From a legal perspective, BYOD is a relatively new trend and courts have not yet addressed what related expenses are necessary and must be reimbursed. The cost of the mobile device itself? The data plan? Text message charges? Or call plans allowing for unlimited minutes? These uncertainties provide further reason for employers to implement a robust BYOD policy. For companies that have not optimized cost structure and compliance, unfettered BYOD can actually cost more in the long run than company-owned mobile devices. Aberdeen Group found that a company with 1,000 BYOD mobile devices spends, on average, an additional $170,000 per year.
After deciding what technology costs should be reimbursed, the next question is how - through increased compensation, commission payments, or direct reimbursement of the actual costs. Although there can be some flexibility about the method of reimbursement, getting the policy wrong (or failing to implement one at all) is a sure way to draw legal action. Indeed, many employers have already faced class actions challenging their failure to reimburse work-related cell phone expenses.
Privacy v. Data Protection
Although it is not uncommon for employers to monitor employees' online activity, many employers are moving toward blocking, firewalling, or restricting Web access based on authentication and encryptions. Similarly, employers have begun to prohibit the storage of company information on any cloud-based sites such as Dropbox or iCloud. But the question remains: Where should employers draw the line between their right to protect sensitive data and the employee's right to privacy? In the government sector, the U.S. Supreme Court held that even where a public employee has a reasonable expectation of privacy, it can be outweighed for a search with a legitimate work-related purpose (Ontario v. Quon
, 130 S. Ct. 2619 (2010)). The facts of the case could influence similar claims against private employers.
Data privacy is particularly complex for multinational enterprises that are subject to privacy laws in any number of countries. In the United Kingdom, for example, the Data Protection Act of 1998 is supposed to hold employers responsible for protecting the work-related content on an employee's device. Although the United States has no similarly comprehensive legislation, one point of commonality arising in various jurisdictions is that employees must give written, fully informed consent before an employer can access their personal data. Our federal Computer Fraud and Abuse Act (18 U.S.C. § 1030) prohibits unauthorized access to an individual's computer, which includes personal devices being used for work purposes. Similarly, under the Stored Communications Act (18 U.S.C. § 2701), employees' personal communications stored electronically are private and protected, and authorization is required to access such information.
In light of these challenges, employers should ensure that their employees understand the risks and responsibilities of a BYOD system. The first step is likely to be instituting a mobile device management (MDM) plan, giving the employer the ability to remotely locate and wipe the device if it is lost or stolen. Because data on a mobile device is stored in a file system on a disk, employers should implement a security policy whereby all company data is fully encrypted and devices are password protected. A move toward more robust passwords, with more frequent changes, will help protect device security. Employers should also define sensitive information, and restrict access to only those employees who need it. Furthermore, just as employers take away a terminated employee's office keys, a similar process should automatically follow for digital data, whereby employees are "locked out" of the system. This may be as simple as informing IT of the departure, but it is something that is overlooked time and again. An example is the recent Department of Justice conspiracy indictment against Matthew Keys, who was terminated by a Sacramento TV station two months before he allegedly gave his still-active Tribune Company
login credentials to the hacking group Anonymous. (Keys has pleaded not guilty.) Finally, employers should consider an acceptable-use policy that strikes a balance between affording appropriate employee privacy and protecting against legal liability.
Once the policy is in place, employee training is crucial. Just as employers have offered sexual harassment and discrimination seminars encompassing a face-to-face contact between coworkers, they should explicitly train employees on appropriate contact in the digital realm, too. Similarly, employees should be made aware that if they participate in BYOD, the employer will have the power to wipe their entire device, which may compromise their personal data. Universally, consent is vital. Employees must agree to install MDM applications on their devices, and to the company remotely wiping the device if security is compromised, or upon termination of employment.
To minimize legal risks, BYOD policies should be tailored to the employer's specific needs. Some employers have no interest in monitoring employees' email, while others may want to at least preserve the right to do so. Depending upon the industry, employers may want even greater control over employee devices, which requires additional protective measures. Some employers include clauses in their BYOD agreements under which they may purchase the device from the employee, sometimes for as little as a dollar. That device is then sold back to the employee upon leaving the organization.
Although the boundaries of BYOD law have yet to develop, employers wanting to avoid being a test case should implement policies to protect against these risks and to clarify the duties and responsibilities in the employer-employee relationship.
Paul S. Cowie is a partner in Sheppard Mullin Richter & Hampton's labor and employment practice group in Palo Alto. Dorna Moini is a labor and employment associate in the firm's San Francisco office.